According to chief information security officer (CISO) of Yahoo, Mr. Bob Lord, the stolen data contains names, telephone numbers, email addresses, dates of birth, passwords encrypted with the MD5 algorithm and in some cases both encrypted and unencrypted security questions and their answers.
The blog post further explains that the data does not contain clear-text passwords and users’ banking and payment card data was also not affected since the company does not store them on the same server.
Yahoo also revealed that this hack is separate from the one that took place in September 2014 in which 500 million user accounts were stolen by “state-sponsored actors” however investigators have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.
Yahoo is urging users to change their password and security questions.
Remember, on July 25, 2016, Verizon Communications Inc agreed to purchase Yahoo!’s operating business for $4.83 billion and looking at Yahoo’s awkward data breaches it will not be surprising if Verizon decides to drop the deal.
Tony Gauda, CEO of ThinAir warns tech giants over poor security and predicts that in future there will be more companies discovering how cyber criminals stole data right underneath their nose.
“The second cyber-attack discovered at Yahoo illustrates just how difficult data breach investigations have become. Even while the company was assessing its systems following the discovery of the 2014 breach, this separate and larger breach went completely unnoticed. It’s clear organizations lack adequate visibility of their data. You don’t stand a chance defending digital assets you can’t see. Yahoo isn’t the only company with a breach just waiting to be discovered, and until the industry prioritizes reducing the time spent on investigations, this cycle will continue.”
Vishal Gupta, CEO of Seclore also see a negative impact on Verizon and Yahoo’s deal after the series of mighty data breaches.
“Yahoo is learning for the second time this year that the most dangerous data breach is the one that goes undetected, and it could have a significant impact on negotiations with Verizon. With the details of over a billion users compromised, there is no doubt that the leaked information has already been leveraged by cybercriminals in one way or another. While payment details weren’t stolen, the hackers made away with names, email addresses, phone numbers, and other PII that can be used for highly targeted spear-phishing campaigns. Until organizations responsible for safeguarding large amounts of user information shift to a data-centric security model, they remain highly valuable targets for hackers, who will continue to come up with inventive ways to infiltrate systems.”
Casey Ellis, CEO and founder, Bugcrowd commented that as every failure is an opportunity it may also be an opportunity for Yahoo to prove itself as a resilient firm.
“In a year full of high-profile, bigger-than-ever breaches and DDoS attacks it should no longer be surprising that anyone is hit by a major breach. As before, it’s likely that at this point Yahoo is already past the assessment stage, having determined the initial damage and the value of the assets that were affected. But what is the next step? They are likely trying to determine how to prevent this from happening yet again. This is yet more proof that security is a moving target, which is why continuous testing should be fundamental for any organization – especially those that handle sensitive data.
There is a tendency for organizations to focus on finding the perpetrator in these attacks, but especially given understaffed security teams, a better area of focus is not the who, but the what. Just as you can’t control which burglar shows up at your door, you can’t control which treat actor attacks you. However, you can control where you are vulnerable, locking your door and closing the vulnerabilities in your systems.
In security, it’s not about proving you’re secure, it’s about proving you’re resilient. This will be yet another opportunity for Yahoo! to prove just that.”
Richard Henderson, Global Security Strategist, Absolute warns users about changing their passwords since the elements behind this breach can conduct further scams by trying their luck on users’ financial information using the same password.
“Things get dicey when we look at the long-standing problem of password reuse. If the billion password hashes have been broken, then that provides a ton of ammunition for attackers to attempt to get into other accounts belonging to the same target. If you used the same password for your bank or for your iCloud picture storage as you did for Yahoo, then an attacker has all he or she needs to breach those other accounts.
Organizations watching these developments should be taking the time to thoroughly review how they are storing passwords themselves – if they’re not storing hashes appended with a long enough random salt (and it needs to be a unique salt per user) – then they need to get on top of that right away.
Beyond that, there are lots of companies out there that comb the web for password lists and will compare them against their own users’ passwords. If there’s a match, the password has been reused and should be changed.
On the user side, you can mitigate the risk that a breach like this will lead to someone getting into your other internet assets by ensuring every password you use is unique, random and varied. A password manager program can make this simple for you. Using multi-factor authentication whenever it is offered also will lower your risk profile.”
It was just last week when a hacker reported critical bug in Yahoo that allowed attackers to read anyone’s email at any time whilst a couple of months ago Yahoo was slammed by its users when it was revealed that the company built a software to secretly scan user emails for the NSA.
In case you want to delete your Yahoo account click here to go through our complete guide on Why and how to delete your Yahoo email account permanently.